Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious TCPip Connections/ Listening ports


  • This topic is locked This topic is locked
15 replies to this topic

#1 2nuhh

2nuhh

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 15 February 2015 - 07:15 PM

Originally posted here: http://www.bleepingcomputer.com/forums/t/567154/suspicious-tcpip-connectionsexplorerexe-connecting-with-https/

 

OS: Windows 8.1

 

Hello, recently I encountered an issue with my PC. Specifically, various TCPip connections are being made to various domains (Akamai, Amazonaws, and others) while I am not in my internet browser. Even more concerning is that my explorer.exe is establishing a connection through port 443 (HTTPS) to a Windows.com domain (according to CurrPorts app). I'm not sure if that's the norm, or not, but, I don't see why my explorer.exe of all things needs to have an active connection to the web. Equally concerning, while viewing Resource Monitor, "System" and "LMS.exe", often have an active network connection. (Note: I've managed to prevent "LMS.exe" from making connections through firewall restrictions)

 

 While looking at IPConfig (from CMD.exe) I'm noticing that my IPv6 connection is using a temporary IPv6 address. Not being greatly familiar with advanced network settings, this threw a red flag up for me (among other things), as I hadn't configured my network to run in such a manner. In regards to this IPv6 setting, while viewing my Resource Monitor, I'm noticing a LOT of IPv6 & IPv4 Loopbacks. Again... Being unfamiliar with advanced networking, I'm not sure if this is the norm.

 

After some preliminary checks I'm coming up empty (Avira, EEK, Kaspersky, FRST registry check appears OK). However, I'm almost certain I have some sort of Trojan/Malware that has potentially corrupted files, as I have a lot of unsolicited network activity (although typically unnoticeable without a Resource Monitor/ CurrPorts).

 

Once I finally stopped freaking out over my practically brand new computer being potentially infected, I checked out my firewall settings and locked down any and all Rules that did not appear to be critical, as well as some that seemed "official". In doing so, I've limited a lot of the attempted connections while retaining access to the Internet.

 

So.....! I've posted this here to get some user-feedback regarding the matter until a BC pro can address my initial post. Any and all help/feedback is greatly appreciated!


Edited by 2nuhh, 15 February 2015 - 07:17 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 PM

Posted 15 February 2015 - 07:26 PM

After posting a new topic with logs in that forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the information or any log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 2nuhh

2nuhh
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 15 February 2015 - 07:34 PM

To clarify, any changes made were prior to requesting help here (My initial reaction to seeing the connections was to close them, as to prevent, or at least limit any furthering of a potential infection). That said, the main purpose of this post was to gather user-feedback. For instance, "yes, it's normal for LMS.exe to obtain a network connection.", or, "This is ordinary for Windows 8.1". The thread is for discussion purposes only- wondering if this is just me, or common Windows 8.1 operation.

 

The only action I would perhaps take from any feedback, would be either continue using the PC, or shut it down to potentially prevent further infection (if it's infected at all).

 

Thank you for your response, though!   :-)


Edited by 2nuhh, 15 February 2015 - 07:35 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 PM

Posted 15 February 2015 - 07:42 PM

How To Identify Unknown Network Connections In Windows with TCPView
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 16 February 2015 - 02:56 PM

Are you familiar with currports, or is this the first time you use it?

 

What's the state of these connections? Established?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 2nuhh

2nuhh
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 February 2015 - 03:02 PM

I'm new with Currports, but familiar enough with basic networking to know that connections are being made. The connections are established, not just Listening, or TimeWait. That said, LMS.exe is back to making connections despite firewall settings restricting the program from making connections. Resource Monitor (opened from Task Manger) backs up what CurrPorts is showing me as well.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 16 February 2015 - 04:12 PM

LMS.exe? That's a program from Intel?

 

To what IP/domain is it connecting?

 

How did you configure your firewall to block LMS from making connections?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 2nuhh

2nuhh
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 February 2015 - 06:21 PM

Yes, LMS.exe is Intel's "Local Management Service". From what I've read it is predominantly used in business networks. As I type this, it has no active connection, however it is listening for both an unspecified IPv6 & IPv4 address, both on ports 49157 (TCP). Given that it's listening for IPv6/4 connections, I'm going to venture a guess that it's an internal connection. That said, there are about a dozen or so IPv6/4 loopbacks that I firewalled. There's also about three dozen unspecified IPv6/4 connections that are being listened on by, "System", Wininit.exe, multiple Svchost.exe's (Local/Netsvc/RPCSS), LSASS.exe, Spoolsv.exe, jhi_service.exe, NVbackend.exe, NvNetworkService.exe... And a few others.

 

Furthermore, it seems that my Avira Antivirus has been hijacked and is establishing a connection to IP Address' 198.23.64.20 & 207.109.221.178. Upon resolving them, we get SoftLayer Technologies, and an Akamai Technologies IP (respectively)... That said, while monitoring over the past few days, I've seen Amazonaws, AkamaiTech, and Windows.com domains, a LOT. I feel like with their big names, I shouldn't worry, but, the mere fact that my computer is establishing connections without me giving it the okay is worrisome- especially being into the whole personal privacy thing.

 

Also, I used the Windows Firewall to establish inbound/outbound connection rules. There were a lot of pre-existing IPv6/4 rules when I first looked at it & blocked basically everything I saw. Not to fear though, what was done can be easily undone if it's the norm. Something's telling me it's very much not the norm though.

 

Edit: To clarify about Firewalling LMS.exe. I outright blocked the program from making inbound/outbound connections.


Edited by 2nuhh, 16 February 2015 - 06:46 PM.


#9 2nuhh

2nuhh
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 16 February 2015 - 10:16 PM

Omg... its on my phone. Plz Help!!!

#10 mremski

mremski

  • Members
  • 480 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:05:03 PM

Posted 17 February 2015 - 07:22 AM

Hmm.  Might Windows update or other bits of windows go out to windows.com?  Aren't lots of things distributed by akamai (updates, etc?)  Apply the OpenBSD philosophy:  default deny.  Disable all inbound and outbound connections for everything, run for a few days.  See what complains, turn on little bits at a time.  Disallow inbound connections unless they are in response to an outbound connection (like don't accept DNS queries inbound unless you are running a DNS server.  DNS responses inbound because of your query should be ok).

 

It's amazing how little one actually needs to have enabled to have a functional system; maybe a dozen total including both TCP and UDP ports.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:03 PM

Posted 17 February 2015 - 02:01 PM

I checked for port 49157, but found no intel.

 

 

unspecified IPv6 & IPv4 address

 

What do you mean with unspecified? Like 0.0.0.0?

 

Those two IP addresses look normal to me, the first is for a cloud service, and the second is Akamai. It doesn't surprise me that an Intel tool uses these.

 

 

the mere fact that my computer is establishing connections without me giving it the okay is worrisome- especially being into the whole personal privacy thing.

 

If you want control over this, you need a firewall that alerts you for every outgoing connection.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 2nuhh

2nuhh
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 18 February 2015 - 04:02 AM

It's going to take more than just a firewall to correct this... After seeing a folder in my phone named Touchage_Evil and finding in its .PList file contents that it was connecting my phone to the same amazonaws.com domain as on my PC, I've gone ahead and reformatted everything. Computer and all.

That said, the computer is still making the same connections as it was before, through McAfee, Internet Explorer, LMS.exe, SkyDrive, backgroundagent.exe (acer program) and a couple others.

While running an SFC scan in safe-mode, I'll watch my disk usage in the Resource Monitor. As it scans, the disk is writing hundreds of rename "x" file .pf files. Which leads me to believe that the Trojan/Backdoor is covering for itself and running a rename file process just in case SFC picks up an error and tries to correct the problem.

After a more thorough look at the Registry, it's pretty clear that this thing has its hooks sunk deep into the system. And... my best bet is to try and fully wipe the drive and get a new copy of windows to put on it.

Regarding the unspecified IPv6/4 listening connections, I mean exactly that. When viewing the "Listening Ports" list of the networking tab, while in the Resource Monitor, it just lists the listening address as "Unspecified IPv6" or "Unspecified IPv4". To me that indicates that any IPv6/4 connection could access my computer given that it attempts to connect on that port.

At any rate, I'm 100% certain my PC is infected after finding that folder and it's contents on my phone.

#13 2nuhh

2nuhh
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 18 February 2015 - 04:09 AM

Additionally, after starting the PC in safe mode and reviewing the event log, there's a plethora of errors and warnings all generated from that single startup. I have the PC shut down at the moment, otherwise I would list some of the obvious red flags this Backdoor/Trojan is throwing up because it's not getting it's way in safe-mode.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,558 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:03 PM

Posted 18 February 2015 - 06:32 AM

At any rate, I'm 100% certain my PC is infected after finding that folder and it's contents on my phone.


If you need individual assistance with malware removal, please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 2nuhh

2nuhh
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 18 February 2015 - 07:40 PM

Thank you Quietman.

Nasdaq has addressed my original help topic. Feel free to close this thread when available.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users